Advanced configuration
You can update the following settings when HA is active, and it won't result in downtime.
Keepalive timer
The keepalive timer has the following settings:
- The keepalive interval is the duration between two successive keepalive retransmissions.
- The keepalive attempts are the number of attempts before determining whether a device has failed. For example, if you configure the keepalive request interval to 250 ms and keepalive attempts to eight, the device will be declared dead after 250 * 8 = 2 seconds.
Here's an example of the keepalive timer settings.
Cluster ID
A cluster is a pair of devices operating in HA. Devices in the same cluster must share the same cluster ID. If you have multiple HA clusters, assign a different ID to each cluster.
Monitoring ports
If any monitored port goes down, the device leaves the cluster, and a failover occurs.
Peer administration port
The port used for administration purposes on the auxiliary device.
Using the hypervisor-assigned MAC address
When you run a virtual Sophos Firewall device, you don't need to turn on promiscuous mode on the vSwitch.
Failing back to the primary device
When a failover occurs, traffic is routed through the auxiliary device. Select this option if you want to move back automatically to the primary device when it recovers.
When you set a preferred primary device, the cluster behaves as follows:
- The device you're signed in to when you turn on this option becomes the preferred primary.
- Whenever the preferred primary device restarts or comes up again after a failover, it restarts the peer device once all services are started and synchronized. It then becomes the primary device again.
Here's an example of how this works: